Incomex AI Portal
KB-6E96

IU b–f Execution Readiness Refactor — 03 Authority Prompts (6 paste-ready)

26 min read Revision 1
iutests-b-fauthority-promptspaste-readyopen-goalself-containedexecution-classdocument-only2026-05-28

IU b–f Execution Readiness Refactor — 03 Authority Prompts (Outcome D)

Six paste-ready, self-contained-after-clear, open-goal macro prompts. Each locks objective, sources, gates, execution class, evidence, and PASS/PARTIAL/BLOCKED rules — but leaves method to the Agent (no over-prescription of implementation internals). These replace command-pack doc 10's prompts. Written to prompt standard 100000x v1.3.

Shared conventions referenced by all prompts below:

  • Write channel (SSH workflow_admin): ssh contabo "docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1" < /tmp/mig_NNN.sql. MCP query_pg is read-only and cannot create functions or flip gates. GOTCHA: container /tmp ≠ host /tmp — pipe from a local file via stdin, do not psql -f /tmp/x.sql. macOS md5: openssl md5.
  • Execution classes: C1 pure-read-only-proof · C2 additive-implementation · C3 governed-mutation-test · C4 gate-protocol · C5 document-only (defined in this pack's doc 00 §2).
  • PASS/PARTIAL/BLOCKED per v1.3: PASS = outcome reached + all executed branches evidence-backed + no forbidden action + no unsafe state. PARTIAL = useful progress + exact gap remains + all safe branches done/classified + no unsafe state. BLOCKED = all meaningful safe branches blocked + exact external authority/tool/input gap named + no unsafe state.

PROMPT 1 — IU_B_C_AXIS_TREE_PURE_READONLY_PROOF_30000X

# MISSION: IU_B_C_AXIS_TREE_PURE_READONLY_PROOF_30000X

Effort: high. Mode: PURE READ-ONLY PROOF (execution class C1). DOCUMENT + READ ONLY.
Role: You own the objective — prove IU tests b and c work as read paths over live data. Do not ask for prior chat; this prompt is self-contained. Read the sources first.

## Objective
Produce evidence that:
- Test b: IUs can be filtered by the professional/domain axis (axis-B tags: legal_domain / topic / sectype / doc / kind) drawn from the Constitution, to cut/select documents.
- Test c: IUs can be filtered by the parent/child/grandchild tree axis (axis-C).
This is a READ proof only. No object is created, no command is invoked, nothing is written.

## Sources to read first (Incomex_KB)
1. knowledge/dev/reports/architecture/iu-b-to-f-execution-readiness-refactor-2026-05-28/00-overview-and-source-matrix.md (execution classes)
2. .../iu-b-to-f-execution-readiness-refactor-2026-05-28/02-revised-macro-sequence-and-waves.md (M-A spec)
3. knowledge/dev/reports/architecture/iu-core-process-brick-readiness-and-gap-survey-2026-05-28.md (live table inventory: iu_three_axis_envelope 216 axis cols, iu_metadata_tag 536, iu_relation 60, iu_tree_path 199; fn_iu_subtree live)
4. knowledge/dev/reports/architecture/iu-test-b-to-f-readiness-command-pack-2026-05-28/02-test-b-domain-axis-filter-plan.md and 03-test-c-tree-axis-filter-plan.md (BASELINE filter logic — but IGNORE their "read-only" labeling of DOT wrappers; you build NO wrapper here)

## Execution class & boundaries
- Class: C1 — PURE_READ_ONLY_PROOF.
- Channel: MCP query_pg (read-only) only. No SSH.
- Allowed: bare parameterised SELECT over iu_three_axis_envelope, iu_metadata_tag, iu_relation, iu_tree_path; calling existing STABLE functions (e.g. fn_iu_subtree) INSIDE a SELECT; reading the Constitution's axis-B tag vocabulary.

## FORBIDDEN (hard)
- Any CREATE/REPLACE FUNCTION. Any INSERT/UPDATE/DELETE. Any dot_iu_* command invocation (it writes a dot_iu_command_run audit row — that is a mutation; do NOT do it here). Any DOT catalog row. Any gate/dot_config touch. Any event registration. SSH writes. 4 Mothers work. Secret logging.

## Success definition
- Axis-B filter returns the correct IU set for >=3 distinct domain values (show the values and counts).
- Tree filter returns the correct subtree for >=2 roots at depth >=3.
- Zero-delta confirmed on ALL candidate tables INCLUDING dot_iu_command_run (delta must be 0 because nothing was invoked).

## Evidence required (no underload)
- The actual SELECT scripts (verbatim), runnable.
- Row counts per filter case + sample JSON of returned rows (>=3 rows each).
- A before/after row-count snapshot of: information_unit, iu_three_axis_envelope, iu_metadata_tag, iu_relation, iu_tree_path, iu_tree_change_log, event_outbox, dot_iu_command_run — proving all deltas = 0.
- A short note confirming fn_iu_subtree (if used) is STABLE/SELECT-only by reading its definition.
- Output to KB: knowledge/dev/reports/architecture/iu-b-c-axis-tree-pure-readonly-proof-<today>/ (00-summary + per-test docs).

## PASS/PARTIAL/BLOCKED
- PASS: both filters proven, all deltas 0, evidence complete, nothing written.
- PARTIAL: one axis proven, the other has an exact data/shape gap named.
- BLOCKED: query_pg read access fails or the axis tables are absent (name the exact gap).

## Self-check (must answer before PASS)
Did I invoke ANY dot_iu_* command? (must be NO). Is dot_iu_command_run delta exactly 0? Did I create any function or row? (must be NO). Is this genuinely C1?

PROMPT 2 — IU_F_SQL_LINK_PURE_READONLY_PROOF_30000X

# MISSION: IU_F_SQL_LINK_PURE_READONLY_PROOF_30000X

Effort: high. Mode: PURE READ-ONLY PROOF (execution class C1). DOCUMENT + READ ONLY.
Role: You own the objective — prove the SQL link between IU and current DB data works as a READ path (validate + resolve), with zero mutation and zero gate flip. Self-contained; read sources first.

## Objective
Prove test f's read half: each of the 3 live iu_sql_link rows can be VALIDATED and RESOLVED against current DB data, without enabling any link and without writing anything. (enabled=false suppresses runtime delivery/capture ONLY; the validate/resolve read paths remain valid over active rows.)

## Sources to read first (Incomex_KB)
1. .../iu-b-to-f-execution-readiness-refactor-2026-05-28/00-overview-and-source-matrix.md and 02-revised-macro-sequence-and-waves.md (M-B spec)
2. knowledge/dev/reports/architecture/iu-core-process-brick-readiness-and-gap-survey-2026-05-28.md (iu_sql_link 3 rows ALL enabled=false; fn_iu_sql_link_validate, v_iu_sql_link_resolved, fn_iu_sql_link_inbound_capture live)
3. knowledge/dev/reports/architecture/iu-test-b-to-f-readiness-command-pack-2026-05-28/04-test-f-sql-link-proof-plan.md (BASELINE — but build NO wrapper here)

## Execution class & boundaries
- Class: C1 — PURE_READ_ONLY_PROOF.
- Channel: MCP query_pg (read-only) only.
- Allowed: call fn_iu_sql_link_validate and read v_iu_sql_link_resolved as bare SELECTs over the 3 links; read the function definitions to confirm validate/resolve are STABLE/SELECT-only.

## FORBIDDEN (hard)
- Flipping any iu_sql_link.enabled. Running fn_iu_sql_link_inbound_capture (it writes). Creating any wrapper / catalog row / function. Any dot_iu_* invocation (writes an audit row). Any gate/dot_config touch. SSH writes. 4 Mothers work. Secret logging.

## Success definition
- All 3 links validate with a clear per-link pass/fail verdict.
- Resolve returns the joined live-DB shape for each link.
- Zero-delta on all tables incl. dot_iu_command_run.

## Evidence required (no underload)
- Verbatim validate output per link (3) + resolved JSON per link.
- The inspected fn_iu_sql_link_validate body confirming STABLE / no INSERT-UPDATE-DELETE.
- Before/after row-count snapshot proving 0 delta on iu_sql_link, dot_iu_command_run, event_outbox, iu_route_attempt.
- Output to KB: knowledge/dev/reports/architecture/iu-f-sql-link-pure-readonly-proof-<today>/.

## PASS/PARTIAL/BLOCKED
- PASS: 3 links validate+resolve, all deltas 0, validator proven read-only by inspection.
- PARTIAL: some links validate; an exact link/shape gap named for the rest.
- BLOCKED: validate function missing or read access fails (name the gap).

## Self-check (must answer before PASS)
Did I flip any enabled flag? (NO). Did I run capture? (NO). Did I invoke any dot_iu_* command? (NO). Is dot_iu_command_run delta 0? Is this genuinely C1?

PROMPT 3 — IU_B_C_F_ADDITIVE_DOT_WRAPPER_IMPLEMENTATION_40000X

# MISSION: IU_B_C_F_ADDITIVE_DOT_WRAPPER_IMPLEMENTATION_40000X

Effort: high. Mode: ADDITIVE IMPLEMENTATION (execution class C2). Creates functions + DOT catalog rows. NOT read-only — it writes (DDL + catalog + audit rows). NO IU-data mutation, NO gate flip.
Role: You own the objective — turn the proven b/c/f-read proofs into reusable read-only DOT commands + a harness orchestrator. Self-contained; read sources first.
PRECONDITION: Macros IU_B_C_AXIS_TREE_PURE_READONLY_PROOF and IU_F_SQL_LINK_PURE_READONLY_PROOF must have PASSED. If their PASS evidence is not in KB, STOP and run/await them first.

## Objective
Create STABLE, SELECT-only wrapper functions and their Điều-35 DOT catalog pairs so operators can run tests b, c, and f-read as DOT commands, plus a harness orchestrator. The wrappers READ IU data but WRITE their own dot_iu_command_run audit rows (mutating=false) — that is the expected additive footprint of a C2 macro, explicitly acknowledged.

## Sources to read first (Incomex_KB)
1. .../iu-b-to-f-execution-readiness-refactor-2026-05-28/01-readonly-vs-mutation-correction-matrix.md (why this is C2, not C1) + 02 (M-C spec)
2. knowledge/dev/reports/architecture/iu-test-b-to-f-readiness-command-pack-2026-05-28/07-dot-command-gap-and-spec.md (proposed command shapes — treat as spec, re-classed to C2)
3. The PASS evidence docs from the two read-only proof macros (the exact SELECTs to wrap).
4. Survey doc for the live 42 dot_iu_* catalog + Điều 35 DOT-pair + audit requirement.

## Execution class & boundaries
- Class: C2 — ADDITIVE_IMPLEMENTATION.
- Channel: SSH workflow_admin (DDL + catalog INSERT). Prove the channel with a BEGIN/ROLLBACK probe before deep work; if it fails -> AUTHOR_MODE_ONLY (author the migration + rollback scripts, do not apply).
- Allowed: CREATE FUNCTION filter_axis_b, filter_axis_c_subtree, and the read-only sql-link wrappers (STABLE, SELECT-only bodies); INSERT DOT catalog rows for dot_iu_filter_axis_b, dot_iu_subtree, dot_iu_sql_link_validate, dot_iu_sql_link_resolve, dot_iu_test_harness_run (mutating=false). Reuse fn_iu_subtree / fn_iu_sql_link_validate — do NOT re-implement.

## FORBIDDEN (hard)
- Any IU-data INSERT/UPDATE/DELETE. Any gate/dot_config flip. Touching iu_enact.*. Split/merge/compose. Event emission or event-type registration. The mutating sql-link commands (_register, _capture_probe) — deferred to a later C3 macro. Flipping any iu_sql_link.enabled. Vector sync. 4 Mothers. Secret logging.

## Success definition
- N new STABLE functions + N new catalog rows created, and nothing else changed (before/after object diff proves it).
- Each wrapper, run once, returns the SAME result as the corresponding Wave-1 bare SELECT (parity check).
- Every new catalog row has mutating=false correct; the harness orchestrator runs b+c+f-read end to end and returns a single evidence bundle.

## Evidence required (no underload)
- The migration SQL (verbatim) + the paired rollback script (DROP FUNCTION + DELETE catalog rows).
- pg_dump --schema-only before/after byte diff + a function/catalog object diff listing exactly the new objects.
- BEGIN/ROLLBACK dry-run transcript proving creation is reversible.
- Parity table: wrapper output vs bare-SELECT output for each test.
- Output to KB: knowledge/dev/reports/architecture/iu-b-c-f-additive-dot-wrapper-<today>/.

## PASS/PARTIAL/BLOCKED
- PASS: all wrappers + harness created, parity proven, object diff clean, rollback script verified, no IU-data/gate change.
- PARTIAL: some wrappers created; exact remaining gap named; no unsafe state.
- BLOCKED: SSH workflow_admin channel unavailable (then deliver AUTHOR_MODE_ONLY scripts) or a proof precondition not met.

## Self-check (must answer before PASS)
Did I mutate any IU data or flip any gate? (must be NO). Is every wrapper body SELECT-only/STABLE? Did I reuse existing functions rather than rewrite? Is the rollback script complete and tested? Did I leave the object diff clean?

PROMPT 4 — IU_BOUNDED_GATE_PROTOCOL_AUTHORITY_PACK_50000X

# MISSION: IU_BOUNDED_GATE_PROTOCOL_AUTHORITY_PACK_50000X

Effort: xhigh. Mode: GATE PROTOCOL (execution class C4) with an explicit DESIGN-FIRST phase (C5) that runs before any live gate-function creation. This is the single safety primitive all mutating IU tests depend on.
Role: You own the objective — deliver a reusable, approval-aware protocol for opening a dot_config runtime gate for a strictly bounded window with guaranteed auto-close. Self-contained; read sources first.

## Objective
Design (and, only if Hard-Gate-0 passes, implement) gate open/close/verify-close/watchdog primitives that: open a gate only inside an approved window; auto-close on completion, timeout, or error; require an approval_id (Điều 32) on opening any mutating gate; audit every open/close; and guarantee no gate is ever left open.

## Sources to read first (Incomex_KB)
1. .../iu-b-to-f-execution-readiness-refactor-2026-05-28/02 (M-D spec) + 04-gate-law-matrix.md
2. knowledge/dev/reports/architecture/iu-test-b-to-f-readiness-command-pack-2026-05-28/08-bounded-gate-protocol.md (BASELINE design — reuse, harden)
3. Prior IU cut reports (mig 057 composer gate open) for the proven SSH workflow_admin single-TX flip pattern + preflight pin pattern + Axis E8 composer-gate precedent.
4. Survey: the 8 dot_config gates and their current values; iu_enact.allow_no_review_decision=false; iu_core.vector_sync_enabled=false.

## Execution class & boundaries
- Phase 1 — DESIGN (C5, always allowed): author open/close/verify-close/watchdog function signatures; the approval model; fail-closed semantics; the 8-gate matrix (composer_enabled, structure_ops_enabled, delivery_enabled, three_axis_auto_refresh_enabled, operator_runtime_enabled, queue.job_substrate.enabled, queue.dlq.replay_enabled, and the NEVER-flip iu_enact.allow_no_review_decision); the never-flip list.
- Phase 2 — IMPLEMENT (C4, ONLY after Hard-Gate-0 passes): create the protocol function(s) writing dot_config + dot_iu_command_run + a gate-transition record; a self-test that flips ONE gate true->false INSIDE BEGIN/ROLLBACK and proves verify-close.

## LIVE-APPLY-HARD-GATE-0 (before Phase 2)
Prove SSH workflow_admin write channel with a BEGIN/ROLLBACK probe; confirm dot_config writable by workflow_admin; confirm pg_dump backup available. If the channel fails -> stay in Phase 1 (AUTHOR_MODE_ONLY); do NOT author hours of unrequested docs; report BLOCKED on the channel.

## FORBIDDEN (hard)
- Opening any gate outside the protocol. Flipping iu_enact.allow_no_review_decision OR iu_core.vector_sync_enabled (NEVER — the correct response to "enact needs a decision" is to supply a real review_decision_id, not to bypass). Leaving any gate open at macro end. Running d/e tests. Creating live gate functions before Hard-Gate-0 passes. 4 Mothers. Secret logging.

## Success definition
- Phase 1: protocol design complete, fail-closed, approval-aware, never-flip list explicit, 8-gate matrix covered.
- Phase 2 (if reached): open/close/verify-close functions exist; the self-test proves a gate returns to its safe default; NO gate reads non-default at macro end.

## Evidence required (no underload)
- The full protocol design (function contracts + state model + approval flow + watchdog/timeout policy).
- (Phase 2) the migration SQL + rollback; the BEGIN/ROLLBACK self-test transcript; a post-run SELECT of all 8 gates proving each at its safe default.
- Output to KB: knowledge/dev/reports/architecture/iu-bounded-gate-protocol-<today>/.

## PASS/PARTIAL/BLOCKED
- PASS: design complete AND (if Hard-Gate-0 passed) functions implemented + self-test green + all gates closed.
- PARTIAL: design complete; Hard-Gate-0 not passed so implementation deferred (named).
- BLOCKED: cannot even design due to a missing source (name it) — unlikely.

## Self-check (must answer before PASS)
Is the protocol fail-closed by default? Does opening a mutating gate REQUIRE an approval_id? Is allow_no_review_decision in the never-flip list? Does ANY gate read non-default at macro end? (must be NO). Did I create a live gate function before Hard-Gate-0 passed? (must be NO).

PROMPT 5 — IU_SPLIT_MERGE_REVIEW_DECISION_WIRING_AUTHORITY_PACK_50000X

# MISSION: IU_SPLIT_MERGE_REVIEW_DECISION_WIRING_AUTHORITY_PACK_50000X

Effort: xhigh. Mode: GOVERNED MUTATION TEST (execution class C3). Mutating + governed.
Role: You own the objective — wire the split/merge review-decision pipeline and run IU test d (compose/add/remove/reorder/split/merge/render) on isolated test IUs under a bounded gate. Self-contained; read sources first.
PRECONDITION: IU_BOUNDED_GATE_PROTOCOL must be IMPLEMENTED and Council-approved. If the gate protocol functions are not live, STOP — d's mutating paths cannot open a gate safely.

## Objective
Close TD-P1 (the split/merge review_decision row-builder "never committed"): commit the review sub-pipeline + row-builder that issues a real review_decision_id, wire fn_iu_piece_split/merge to require it, and demonstrate test d end to end on cloned test IUs — including the first durable use of iu_split_set / iu_merge_set.

## Sources to read first (Incomex_KB)
1. .../iu-b-to-f-execution-readiness-refactor-2026-05-28/02 (M-E spec) + 04-gate-law-matrix.md
2. knowledge/dev/reports/architecture/iu-test-b-to-f-readiness-command-pack-2026-05-28/05-test-d-compose-structure-ops-plan.md (test d sub-tests d1–d7)
3. Survey: fn_iu_piece_split/merge live; iu_split_set/iu_merge_set EMPTY; allow_no_review_decision=false; structure_operation 72=reparent60+deprecate12; the 9 d-commands; fn_iu_structure_op_rollback.
4. Prior IU cut state-machine reports (review_decision shape; cutter_governance).
DEPENDENCY: U5 cut state-machine rollback edge (mark_verified->mark_rejected) is a prerequisite for d's FAILURE path — if d5/d6 route through the cut state machine, ensure the 6th macro (IU_CUT_STATE_MACHINE_ROLLBACK_AFTER_APPROVAL_POLICY) has landed first.

## LIVE-APPLY-HARD-GATE-0
SSH workflow_admin channel BEGIN/ROLLBACK probe; PRIVILEGED read of cutter_governance.review_decision to confirm shape (RO role is denied — use workflow_admin); pg_dump backup; Dependency Closure Pack: confirm fn_iu_piece_split/merge, iu_split_set/merge_set, fn_iu_structure_op, fn_iu_structure_op_rollback all present. If review_decision shape cannot be read -> BLOCKED (R-A), report and stop.

## Execution class & boundaries
- Class: C3 — GOVERNED_MUTATION_TEST.
- Channel: SSH workflow_admin.
- Allowed: commit review sub-pipeline + row-builder issuing review_decision_id; wire split/merge to require it; open structure_ops_enabled (+composer_enabled if needed) via the gate protocol with an approval_id; run d1–d7 on CLONED test IUs (lifecycle=testing); produce committed iu_split_set/iu_merge_set rows; rollback via fn_iu_structure_op_rollback; close gates.

## FORBIDDEN (hard)
- Flipping allow_no_review_decision (supply a real review_decision_id instead — NEVER bypass). Splitting/merging production law IUs on first run (use clones). Leaving gates open. Running any split/merge without a review_decision_id. Vector sync. 4 Mothers. Secret logging.

## Success definition
- d1–d4 + d7 pass on test IUs (compose/add/remove/reorder/render).
- d5/d6 pass WITH a real review_decision_id and produce committed iu_split_set/iu_merge_set rows.
- Rollback verified; all opened gates closed; audit rows present.

## Evidence required (no underload)
- The review-decision row-builder + sub-pipeline code/migration + rollback.
- review_decision shape (from privileged read) + a sample issued review_decision_id.
- Per-sub-test transcript (d1–d7) with the test IU ids + gate open/close audit + structure_operation rows produced.
- Post-run SELECT proving structure_ops_enabled/composer_enabled back to false and test IUs retired/marked.
- Output to KB: knowledge/dev/reports/architecture/iu-split-merge-review-decision-wiring-<today>/.

## PASS/PARTIAL/BLOCKED
- PASS: d1–d7 demonstrated on test IUs with a real review_decision_id, durable split/merge sets, gates closed, rollback proven.
- PARTIAL: d1–d4/d7 pass but d5/d6 blocked on U5 state-machine edge (named) — no unsafe state, gates closed.
- BLOCKED: gate protocol not implemented, or review_decision shape unreadable (R-A), or channel down.

## Self-check (must answer before PASS)
Did I supply a real review_decision_id (not bypass allow_no_review_decision)? (must be YES/NEVER-bypass). Did I operate only on cloned test IUs? Are all opened gates closed at macro end? Did I prove rollback?

PROMPT 6 — IU_TRIGGER_IN_OUT_EVENT_CONTRACT_AUTHORITY_PACK_50000X

# MISSION: IU_TRIGGER_IN_OUT_EVENT_CONTRACT_AUTHORITY_PACK_50000X

Effort: xhigh. Mode: MIXED — C2 (event-type registration) + C3 (bounded delivery test) + C4 (delivery gate). Mutating + delivery-gated.
Role: You own the objective — define the per-IU trigger event contract and demonstrate IU test e (trigger-in + trigger-out) under a bounded, route-scoped delivery gate, without touching any of the 15 live routes. Self-contained; read sources first.
PRECONDITION: IU_BOUNDED_GATE_PROTOCOL implemented + approved. If not live, STOP.

## Objective
Register the iu.* trigger event types (register-before-emit) and prove that a test IU can: receive a trigger-in (captured), emit a trigger-out (outbox -> route attempt), and route a forced failure to the DLQ — all under a bounded delivery gate that cannot reach a real route.

## Sources to read first (Incomex_KB)
1. .../iu-b-to-f-execution-readiness-refactor-2026-05-28/02 (M-F spec) + 04-gate-law-matrix.md
2. knowledge/dev/reports/architecture/iu-test-b-to-f-readiness-command-pack-2026-05-28/06-test-e-trigger-in-out-plan.md
3. Survey: event_type_registry 31 types, NONE iu.*; fn_iu_emit_event, fn_iu_piece_emit_event, fn_iu_sql_link_inbound_capture, fn_iu_route_deliver, fn_iu_route_worker_run live; iu_outbound_route 15 (real), iu_sql_event_route 1, iu_route_dead_letter 0; delivery_enabled=false; MP-D8 event payload deny-list (no body/secret/vector).

## Execution class & boundaries
- Sub-phase 1 (C2): register iu.trigger_in.received, iu.trigger_out.emitted, iu.route.delivered, iu.route.failed in event_type_registry (JSON schema, compat_mode=forward, refs-only payload). register-before-emit.
- Sub-phase 2 (C3+C4): create a test route + test IU; open delivery_enabled (route-scoped if supported) via the gate protocol with an approval_id; run trigger-in (capture) + trigger-out (emit -> outbox -> route attempt); force a failure -> DLQ; close gate.
- Channel: SSH workflow_admin. Dependency Closure Pack: confirm event_type_registry, fn_iu_emit_event, fn_iu_piece_emit_event, iu_outbound_route (15), iu_sql_event_route (1), fn_iu_route_deliver, fn_iu_route_worker_run, iu_route_dead_letter (0), fn_iu_route_dead_letter_replay; INVENTORY the 15 live routes so the delivery flip cannot deliver a real route.

## LIVE-APPLY-HARD-GATE-0
SSH workflow_admin channel probe; pg_dump backup; confirm delivery gate can be route-scoped. If route-scoping is NOT supported (R-B), a global flip requires proving all 15 real routes inert before opening — if that cannot be guaranteed, report PARTIAL/BLOCKED rather than risk a real delivery.

## FORBIDDEN (hard)
- Emitting unregistered events. Delivering to ANY of the 15 real routes. Leaving delivery_enabled open at macro end. Payloads carrying body/secret/vector (MP-D8 deny-list). Flipping allow_no_review_decision or vector_sync_enabled. 4 Mothers. Secret logging.

## Success definition
- 4 iu.* event types registered with schemas (refs-only).
- Trigger-in capture recorded for a test IU; trigger-out emits an outbox row + route attempt; forced failure lands in iu_route_dead_letter (first population of the 0-row table).
- delivery_enabled reads false at macro end; no real route delivered.

## Evidence required (no underload)
- The 4 event-type registration rows (schema + compat_mode) + rollback.
- The 15-live-route inventory + the test route definition proving isolation.
- Trigger-in/out transcript with the test IU id; the outbox row, route attempt row, and DLQ row produced; gate open/close audit.
- Post-run SELECT proving delivery_enabled=false and test artifacts retired.
- Output to KB: knowledge/dev/reports/architecture/iu-trigger-in-out-event-contract-<today>/.

## PASS/PARTIAL/BLOCKED
- PASS: 4 types registered, trigger-in/out + DLQ demonstrated on a test route, delivery gate closed, no real route touched.
- PARTIAL: types registered (C2) but delivery test deferred because route-scoping unprovable (R-B) — no unsafe state.
- BLOCKED: gate protocol not live, or cannot guarantee the 15 real routes inert.

## Self-check (must answer before PASS)
Did I register before emitting? Did any payload carry body/secret/vector? (must be NO). Could the delivery flip have reached a real route? (must be NO — prove isolation). Is delivery_enabled false at macro end?

Note — the 6th/U5 follow-up prompt (prerequisite of Prompt 5's failure path)

If d5/d6 route through the cut state machine, author and run IU_CUT_STATE_MACHINE_ROLLBACK_AFTER_APPROVAL_POLICY (C3) before Prompt 5. It adds the missing mark_verified→mark_rejected rollback edge so a cut_request cannot stick at mark_verified with cut_run_id=NULL. Sources: prior IU cut reports (mig 054–058, fn_cut_apply phantom-cut fix, preflight Axis E8). This is listed as U5 in command-pack doc 09 and is the only prompt deferred-but-named rather than fully authored here, because its exact shape depends on whether Prompt 5's split/merge actually traverses the cut state machine (a fact the Prompt-5 Agent confirms via Dependency Closure Pack). Authoring it speculatively would over-prescribe; it is bounded here as a named prerequisite with sources.

Back to Knowledge Hub knowledge/dev/reports/architecture/iu-b-to-f-execution-readiness-refactor-2026-05-28/03-authority-prompts.md